1. First We need to enable Auditing with audit server for file access as shown below as bold.
System security audits currently enabled for:
ACL
Authorization
Audit: illformed
Breakin: dialup,local,remote,network,detached
Logfailure: batch,dialup,local,remote,network,subprocess,detached
FILE access:
Failure: read,write,execute,delete,control
If "FILE access" is NOT enabled, run below command to get it enabled.
Command : set audit/audit/enable=access=failure/class=file
2. Choose file for which you want to have file access auditing enabled.
For Example :
File name : DSA10:[TMP]REN.COM
Firstly, check if required ACL is defined for this file or NOT with below command
Command :
DIR/SECURITY UTIL:[TMP]REN.COM;
Directory UTIL:[TMP]
REN.COM;3 19-JUN-2021 16:01:53.57 [SYSTEM] (RWED,RWED,RE,)
Above listed output of command shown NO ACL imposed on this file.
Then, Run below command to define ACL.
Command :
SET SECURITY DSA10:[TMP]REN.COM/ -
acl=((AUDIT=SECURITY,ACCESS=WRITE+DELETE+CONTROL+SUCCESS+FAILURE), -
(ALARM=SECURITY,ACCESS=WRITE+DELETE+CONTROL+SUCCESS+FAILURE))
Verify now if required ACL has been imposed on this file.
Command :
DIR/SECURITY _DSA10:[TMP]REN.COM
Directory DSA10:[TMP]
REN.COM;2 25-JAN-2021 17:12:25.29 [SYSTEM] (RWED,RWED,RE,)
(AUDIT=SECURITY,ACCESS=WRITE+DELETE+CONTROL+SUCCESS+FAILURE)
(ALARM=SECURITY,ACCESS=WRITE+DELETE+CONTROL+SUCCESS+FAILURE)
Alert Generated on Console Log :
%%%%%%%%%%% OPCOM 19-JUN-2021 16:01:53.58 %%%%%%%%%%%
Message from user AUDIT$SERVER on ALPX86
Security alarm (SECURITY) and security audit (SECURITY) on ALPX86, system id: 1068
Auditable event: Object access
Event time: 19-JUN-2021 16:01:53.57
PID: 202000D3
Process name: _FTA3:
Username: SYSTEM
Process owner: [SYSTEM]
Terminal name: FTA3:
Image name: DSA0:[SYS0.SYSCOMMON.][SYSEXE]TPU.EXE
Object class name: FILE
File name: _DSA10:[TMP]REN.COM;2
File ID: (466,24,0)
Access requested: READ,WRITE
Posix UID: -2
Posix GID: -2 (%XFFFFFFFE)
Sequence key: 0056FEFC
Status: %SYSTEM-S-NORMAL, normal successful completion
Comments
Post a Comment